Rails 6.1.x
NES Release Notes
6.1.7.29
Bug Fixes
- CVE-2025-24293 (activestorage) allowed transformation methods that were potentially unsafe
- CVE-2025-55193 (activestorage) logging vulnerable to ANSI escape injection
6.1.7.28
Notes
- No changes in Rails
- Bumped Rack version requirement to version 2.2.17.10
Bug Fixes
- Fixed CVE-2025-49007: ReDoS Vulnerability in Rack Multipart Handling. Read the announcement
6.1.7.27
Notes
- No changes in Rails
- Bumped Rack version requirement to version 2.2.14.10
Bug Fixes
- CVE-2025-46727 (rack) - Unbounded-Parameter DoS in Rack::QueryParser
- CVE-2025-32441 (rack) - Session Reuse in Rack::Session::Pool
6.1.7.26
Notes
- This is the initial release of the NES Rails 6.1.x series. It also includes the release of NES for Rack v2.2.13.10.
Bug Fixes
- CVE-2025-27111 (rack) - Escape Sequence Injection vulnerability in Rack lead to Possible Log Injection
- CVE-2025-27610 (rack) - Local File Inclusion in Rack::Static
- CVE-2025-25184 (rack) - Possible Log Injection in Rack::CommonLogger
- CVE-2024-47889 (actionmailer) – Fixed a possible ReDoS vulnerability in block_format in Action Mailer.
- CVE-2024-47887 (actionpack) – Fixed a possible ReDoS vulnerability in HTTP Token authentication in Action Controller.
- CVE-2024-54133 (actionpack) – Fixed a possible Content Security Policy bypass in Action Dispatch.
- CVE-2024-41128 (actionpack) – Fixed a possible ReDoS vulnerability in query parameter filtering in Action Dispatch.
- CVE-2024-47888 (actiontext) – Fixed a possible ReDoS vulnerability in plain_text_for_blockquote_node in Action Text